BMC Software Information for VU#121036

BMC Track-It! contains multiple vulnerabilities

Status

Affected

Vendor Statement

BMC has issued an advisory to all Track-IT customers with the details of the disclosed vulnerabilities and the availability of hotfixes.

    Resolved issues:

  • CWE-89: SQL Injection - CVE-2014-4873
  • Hotfix available
  • See Article ID TIA07454 on Numara support site
  • CWE-264: Arbitrary file download - CVE-2014-4874
  • Hotfix available
  • See Article ID TIA07453 on Numara support site

    Resolutions under development:

  • CWE-306: Improper Authentication for .NET services - CVE-2014-4872
  • Until hotfixes are available we recommend that you block all communications from untrusted networks to TCP/UDP ports 9010 to 9020. This will also block SelfService and trackitweb from being used from external networks.
  • See Articles TIA07456, TIA07457. And TIA07455 for current status

    If you have any questions regarding this security notification, please contact Track-It! Support by opening a case at: https://support.numarasoftware.com/

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References

    None

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.